New submission from STINNER Victor <victor.stinner at haypocalc.com>:
Python3 skips environment variables which can not be parsed and
decoded as unicode strings. But exec*() functions keep the original
environment and so the child process environment is different than the
Python environement (than os.environ).
I propose to remove these variables to avoid strange behaviours, but
also to avoid possible security issues.
The attached patch is an implementation of this idea using a custom
implementation of unsetenv(): _Py_unsetenv() argument is not the name
of the variable but the raw variable including the value (eg. "a=b").
So it's also possible to drop truncated variables like "a" (no value
nor "=" character).
This issue also affects Python2 since Python2 does also skip variable
with no value but the variables still exist in memory (and so child
process get them).
----------
components: Interpreter Core
files: unsetenv.patch
keywords: patch
messages: 74784
nosy: haypo
severity: normal
status: open
title: remove not decodable environment variables
type: security
versions: Python 3.0
Added file: http://bugs.python.org/file11799/unsetenv.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4126>
_______________________________________